The PCI Council has released valuable insights on Vulnerability Scans & ASV Guidance, particularly beneficial for SAQ A merchants.
Definitions
Pre-requisites for proper understanding of the following article are, among others, knowledge of three terms, namely, "Vulnerability Scan", "Approved Scanning Vendor (ASV)" and "Third Party Service Provider (TPSP)".
To facilitate proper sharing of these terms we have provided their definitions here at the bottom of the page. We encourage you to have a look at them to make sure we are all on the same page.
Which organisation should perform ASV Scans?
At this point we have the basic elements to ask (and answer) which organizations should perform ASV Scans and which systems should be included in them:
Your organization may be asked by an acquirer or payment brand to demonstrate compliance with the PCI DSS standard by completing a Report on Compliance (ROC) or a Self-Assessment Questionnaire (SAQ). Talk to the entity requesting this attestation to find out if you are being asked to complete a ROC or SAQ. If it is a SAQ, ask which SAQ is correct for your organization.
For merchants, ASV scans are included in SAQs A, A-EP, B-IP, C and D and the ROC.
SAQ D and ROC for service providers also include ASV scans.
ASV scans apply to Internet-exposed systems (such as web servers): these systems are the most vulnerable because they can be easily accessed and exploited by criminals.
ASV scans added to SAQ A from PCI DSS version 4.0
SAQ A for PCI DSS v4 adds security controls to address the most common breaches that are also increasingly targeting merchants required to complete SAQ A. Among the added controls, we note that req. 11.3.2 addresses external vulnerability scans performed by an ASV.
The ASV scan requirements in SAQ A apply only to e-commerce merchant systems that host the web page that:
- or redirects payment transactions to a PCI DSS-compliant TPSP;
- or includes an embedded payment page/form from a PCI DSS-compliant TPSP.
The intent is to minimize the risk of compromise by resolving vulnerabilities (identified by ASV scans) that could expose their link to the TPSP's payment page.
It is essential to confirm with your TPSP who is responsible for ASV scans. Ask your hosting TPSP for documentation confirming that:
- Your hosting services are PCI DSS compliant.
- Your Web site is included in the ASV scans, including the external IP address, domain name, or URL of the Web server hosting your site.
If your website is not included in the TPSP's ASV scans, agree with your TPSP on the best way to get your website scanned at least once every three months. If you need assistance contact the experts at Integrity360.
Useful Terms
Vulnerability Scan
A vulnerability scan is a combination of automated tools, techniques, and/or methods run against external and internal devices and servers, designed to expose potential vulnerabilities in applications, operating systems, and network devices that could be found and exploited by malicious individuals. New vulnerabilities, security holes and bugs are discovered every day. It is necessary to systematically and regularly check one's systems to identify weaknesses and address them promptly.
Approved Scanning Vendor (ASV)
ASVs are companies approved by PCI SSC to conduct external vulnerability scanning services. In this regard. PCI DSS requirement 11.3.2 requires proof of passing external vulnerability scans, performed by an ASV, at least once every three months. PCI SSC maintains a list of approved scanning vendors (ASVs) on its website. ASV scan solutions include the tools, methods, procedures, associated scan reports, processes for exchanging information between the ASV and the scan customer, and the processes used by ASV Employees to:
- Operate the ASV scan solution.
- Work with scan customer to coordinate and resolve matters.
- Review and interpret scan results, as needed.
- Generate the scan report.
- Submit the scan report to the scan customer.
Third-Party Service Provider (TPSP)
Any third party acting as a service provider on behalf of an entity. They may be "Service Provider" or "Multi-Tenant Service Provider."